Egil Aspevik Martinsen Polymorphic Viruses. Material from Master Thesis «Detection of Junk Instructions in Malicious Software»



Similar documents
CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

Off-by-One exploitation tutorial

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

TCG Algorithm Registry. Family 2.0" Level 00 Revision April 17, Published. Contact:

Efficient Program Exploration by Input Fuzzing

TitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com

Soft-Starter SSW-06 V1.6X

CTNET Field Protocol Specification November 19, 1997 DRAFT

Machine Programming II: Instruc8ons

Software Fingerprinting for Automated Malicious Code Analysis

Fault attack on the DVB Common Scrambling Algorithm

On the Security of Digital Video Broadcast Encryption

Configurable Events for APC Network Management Card

Return-oriented programming without returns

Abysssec Research. 1) Advisory information. 2) Vulnerable version

Command Param1 Param2 Return1 Return2 Description. 0xE9 0..0x7F (id) speed pos_high pos_low Set servo #id speed & read position

Self Protection Techniques in Malware

Network Configuration Example

CS61: Systems Programing and Machine Organization

Randy Lee FireEye Labs. Understanding Modern Malware.

Security of EnOcean Radio Networks

Inside a killer IMBot. Wei Ming Khoo University of Cambridge 19 Nov 2010

Peeling The Layers Of Vawtrak

Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z)

Fighting malware on your own

Systems Design & Programming Data Movement Instructions. Intel Assembly

AntiRE en Masse. Investigating Ferrie s Documented AntiUnpacking. Kurt Baumgartner, VP Behavioral Threat Research PCTools ThreatFire

APC APPLICATION NOTE #156

ANR INSTRUCTION MANUAL ELECTRICAL MULTIFUNCTION ANALYZER RECORDER COMMUNICATION PROTOCOL. ASCII standard ANR MODBUS-RTU

CMUX User Guide 30268ST10299A Rev. 3 19/01/09

Heap-based Buffer Overflow Vulnerability in Adobe Flash Player

A Tiny Guide to Programming in 32-bit x86 Assembly Language

USB Card Reader Configuration Utility. User Manual. Draft!

Chapter 4 Processor Architecture

Where s the FEEB? The Effectiveness of Instruction Set Randomization

Analysis of Win32.Scream

Syscall 5. Erik Jonsson School of Engineering and Computer Science. The University of Texas at Dallas

[ X OR DDoS T h r e a t A d v i sory] akamai.com

CS:APP Chapter 4 Computer Architecture Instruction Set Architecture. CS:APP2e

Unpacked BCD Arithmetic. BCD (ASCII) Arithmetic. Where and Why is BCD used? From the SQL Server Manual. Packed BCD, ASCII, Unpacked BCD

Nemo 96HD/HD+ MODBUS

Attacking x86 Windows Binaries by Jump Oriented Programming

RFID MODULE Mifare Reader / Writer SL032 User Manual Version 1.5 Nov 2012 StrongLink

INTRODUCTION TO MALWARE & MALWARE ANALYSIS

AN730. CRC Generating and Checking INTRODUCTION THEORY OF OPERATION EXAMPLE 1: MODULO-2 CALCULATION. Example Calculation. Microchip Technology Inc.

Machine-Level Programming II: Arithmetic & Control

Assembly Language: Function Calls" Jennifer Rexford!

Parasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips

CSEE bit AES decryption

Cloud Security VS Cybercrime Economy: The Kaspersky Vision. Eugene Kaspersky Co-founder & CEO, Kaspersky Lab

Test Driven Development in Assembler a little story about growing software from nothing

Packers Models. simple. malware. advanced. allocation. decryption. decompression. engine loading. integrity check. DRM Management

Binary Representation

Computer Virus Strategies and Detection Methods

RFID MODULE Mifare Reader / Writer SL025B User Manual Version 1.4 Nov 2012 StrongLink

An introduction to the Return Oriented Programming. Why and How

The Misuse of RC4 in Microsoft Word and Excel

x64 Cheat Sheet Fall 2015

Consult protocol, Nissan Technical egroup, Issue 6

Application-Specific Attacks: Leveraging the ActionScript Virtual Machine

REpsych. : psycholigical warfare in reverse engineering. def con 2015 // domas

Hacking the Preboot execution Environment

The 80x86 Instruction Set

David Cowen Matthew Seyer G-C Partners, LLC

Harnessing Intelligence from Malware Repositories

Packers. (5th April 2010) Ange Albertini Creative Commons Attribution 3.0

Computer Security DD2395

Full Power Domain SLCR (FPD_SLCR)

Upcompiling Legacy Code to Java

Promoting Network Security (A Service Provider Perspective)

Dialogic DSI Protocol Stacks MAP Programmer's Manual

An Analysis of the Excel Bug

NGBPA Next Generation BotNet Protocol Analysis

1949 Self-reproducing cellular automata Core Wars

Tamper protection with Bankgirot HMAC Technical Specification

About the Tutorial. Audience. Prerequisites. Copyright & Disclaimer

Using an IR Remote with a Raspberry Pi Media Center

Introduction. Compiler Design CSE 504. Overview. Programming problems are easier to solve in high-level languages

Building a computer. Electronic Numerical Integrator and Computer (ENIAC)

For a 64-bit system. I - Presentation Of The Shellcode

Deluge. Flashed with a Golden Image in order to become part of the swarm. All clients run the same image (modulo dissemination time).

Table 1 below is a complete list of MPTH commands with descriptions. Table 1 : MPTH Commands. Command Name Code Setting Value Description

ADOBE FRAMEMAKER 8 Character Sets (Windows and UNIX)

M A S S A C H U S E T T S I N S T I T U T E O F T E C H N O L O G Y DEPARTMENT OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE

Artisan Technology Group is your source for quality new and certified-used/pre-owned equipment

Introduction to Reverse Engineering

Chapter 14 Computer Threats

CVE Adobe Flash Player Integer Overflow Vulnerability Analysis

Brunata Optuna W (171)

Detecting Botnet Propagation

Stack Overflows. Mitchell Adair

Assembly Language Tutorial

Catalog No. Description / System Revision Status

Keynote. Professor Russ Davis Chairperson IC4MF & Work Shop Coordinator for Coordinator for Technology, Innovation and Exploitation.

Transcription:

Egil Aspevik Martinsen Polymorphic Viruses Material from Master Thesis «Detection of Junk Instructions in Malicious Software» 1

History 1982 Elk Cloner Brain 1987 1260 1992 Ply 1997 Melissa ILOVEYOU Zmist Code Red Sobig 2002 Blaster MyDoom Samy XSS Stration Storm 2007 Vandalism/Pranks/?? «Nerds» Money Organized crime / Mafia 2

Two Quotes «The most significant change has been the evolution of virus writing hobbyists into criminally operated gangs bent on financial gain» Mikko Hypponen, F-Secure, 2006, (http://www.f-secure.com/news/items/news_2006011900.shtml) «Last year was the first year that proceeds from cybercrime were greater than proceeds from the sales of illegal drugs, and that was, I believe, over $105 billion» Valerie McNiven, US Treasury, 2006 («Dirty money on the wires: the business models of cyber criminals». Virus Bulletin Conference, 2006) 3

One «Protection Money» Scheme Infected Computers Onlinepoker.com $$$$$$$ Botnet Controller operated by «Mafia» Paying Customer 4

Polymorfism «many forms» Regular viruses Polymorphic viruses Virus A Virus B Form 1.1 Form 1.w fa78743cb329a1 272a2dc3765a1 Form 1 Form 2 Form n PM Virus 5

Case study: Zmist Zmist is a virus employing many polymorphic techniques Zmist is the only virus known to utilize the code integration technique Of the leading 14 antivirus products tested, 7 failed to detect 100% of Zmist samples (AV-comparatives.org, February 2008 On-demand comparative) 6

Clean code Clean code before Zmist Clean code after Zmist Decryptor Initializing code Decryption of engine no De-initializing code Engine decryption completed? Engine yes Decrypted engine code 7

Decryptor 1 (D1) Decryptor 2 (D2) Decryptor 3 (D3) call [0x4082FE] [0x41B000], ecx bsf ecx, and ecx, 0x9ACEDD96 [0x41BE98], ebx ecx, esi btr ecx, ecx ecx, 0x5543994C ebx, 0x00426758 imul ecx, edx, 0xA461EDD1 sx ecx, ax [ebx], esi test al, 0xBA test edi, esi imul ecx, esi esi, 0x00000000 bswap ebx [0x424C70], esi ebx, edi add ch, bl esi, 0x0040A7E1 ecx, [esi] ebx, ecx shld esi, ecx, cl esi, 0x00423E40 dec cl inc ecx ecx, esi ebx call 0x00003090 [0x415E64] al, 0x4B xadd, adc, 0x01D257DA esi neg imul esi, ecx, 0xCD32F179 jmp 0x000030AF, 0x004167FC not esi lea esi, [-0x5EA21BF8] esi, esi bsr esi, ecx ecx test esi, [] esi, 0x60C25CE0 bswap esi esi, ebx sx esi, bp xadd esi, esi adc esi, 0x52ED71CC jmp 0x000030E0 test ebx, ecx ah, 0xF9 esi, 0xFCA091F5 imul, esi, 0x45285F96 add [0x421634], edi [0x41FBFC], ebx edi, 0x00421D90 [0x41FBF0], 0x00000000 edi, 0x004143E2 edi ebx, [] [0x4211B8], ebx edi, [0x4035E5] ebx, edi [0x41FBF8], ebx edi, 0x0041FBF0 ebx, ebx edi, 0x00421630, 0x00421630 ebx, [] ebx, [0x4062A8] [0x421630], ebx edi, [0x421630] 8 ebx,

Polymorphic Techniques Arbitrary placement of code and data Register renaming Change of code flow Junk instructions Semantically equivalent instructions 9

Decryptor 1 (D1) Decryptor 2 (D2) Decryptor 3 (D3) call [0x4082FE] [0x41B000], ecx bsf ecx, and ecx, 0x9ACEDD96 [0x41BE98], ebx ecx, esi btr ecx, ecx ecx, 0x5543994C ebx, 0x00426758 imul ecx, edx, 0xA461EDD1 sx ecx, ax [ebx], esi test al, 0xBA test edi, esi imul ecx, esi esi, 0x00000000 bswap ebx [0x424C70], esi ebx, edi add ch, bl esi, 0x0040A7E1 ecx, [esi] ebx, ecx shld esi, ecx, cl esi, 0x00423E40 dec cl inc ecx ecx, esi ebx call 0x00003090 [0x415E64] al, 0x4B xadd, adc, 0x01D257DA esi neg imul esi, ecx, 0xCD32F179 jmp 0x000030AF, 0x004167FC not esi lea esi, [-0x5EA21BF8] esi, esi bsr esi, ecx ecx test esi, [] esi, 0x60C25CE0 bswap esi esi, ebx sx esi, bp xadd esi, esi adc esi, 0x52ED71CC jmp 0x000030E0 test ebx, ecx ah, 0xF9 esi, 0xFCA091F5 imul, esi, 0x45285F96 add [0x421634], edi [0x41FBFC], ebx edi, 0x00421D90 [0x41FBF0], 0x00000000 edi, 0x004143E2 edi ebx, [] [0x4211B8], ebx edi, [0x4035E5] ebx, edi [0x41FBF8], ebx edi, 0x0041FBF0 ebx, ebx edi, 0x00421630, 0x00421630 ebx, [] ebx, [0x4062A8] [0x421630], ebx edi, [0x421630] 10 ebx,

Junk Instruction Detection (JID) Analysis of Zmist 6 months Detection of Zmist? Analysis of new PM virus? days Detection of new PM virus «In fact, while reverse engineering, you can spend up to 80% of your time reading the values in registers and deducing what the code will do or is doing as a result of these values» Konstantin Rozinov, Bell Labs, (rozinov.sfs.poly.edu/papers/bagle_analysis_v.1.0.pdf) 11

Decryptor 1 (D1) Decryptor 2 (D2) Decryptor 3 (D3) call [0x4082FE] [0x41B000], ecx bsf ecx, and ecx, 0x9ACEDD96 [0x41BE98], ebx ecx, esi btr ecx, ecx ecx, 0x5543994C ebx, 0x00426758 imul ecx, edx, 0xA461EDD1 sx ecx, ax [ebx], esi test al, 0xBA test edi, esi imul ecx, esi esi, 0x00000000 bswap ebx [0x424C70], esi ebx, edi add ch, bl esi, 0x0040A7E1 ecx, [esi] ebx, ecx shld esi, ecx, cl esi, 0x00423E40 dec cl inc ecx ecx, esi ebx call 0x00003090 [0x415E64] al, 0x4B xadd, adc, 0x01D257DA esi neg imul esi, ecx, 0xCD32F179 jmp 0x000030AF, 0x004167FC not esi lea esi, [-0x5EA21BF8] esi, esi bsr esi, ecx ecx test esi, [] esi, 0x60C25CE0 bswap esi esi, ebx sx esi, bp xadd esi, esi adc esi, 0x52ED71CC jmp 0x000030E0 test ebx, ecx ah, 0xF9 esi, 0xFCA091F5 imul, esi, 0x45285F96 add [0x421634], edi [0x41FBFC], ebx edi, 0x00421D90 [0x41FBF0], 0x00000000 edi, 0x004143E2 edi ebx, [] [0x4211B8], ebx edi, [0x4035E5] ebx, edi [0x41FBF8], ebx edi, 0x0041FBF0 ebx, ebx edi, 0x00421630, 0x00421630 ebx, [] ebx, [0x4062A8] [0x421630], ebx edi, [0x421630] 12 ebx,

Decryptor 1 (D1) Decryptor 2 (D2) Decryptor 3 (D3) call [0x4082FE] [0x41B000], ecx [0x41BE98], ebx ebx, 0x00426758 [ebx], esi esi, 0x00000000 [0x424C70], esi esi, 0x0040A7E1 ecx, [esi] ebx, ecx esi, 0x00423E40 ecx, esi ebx [ecx] esi, 0x00416723 ebx, [esi] ebx ecx ecx [0x424C6C] esi, 0x00424C70 ebx, [esi] ecx, ebx esi, 0x0041B004 ecx [esi] [0x41B004] ebx esi, 0x00416559 call jmp jmp sub sub xor jmp jmp 0x00003090 [0x415E64] esi 0x000030AF, 0x004167FC ecx [] 0x000030E0 esi, 0xFCA091F5 esi, 0x2154A1C0 esi, 0xACEEC496 esi, 0x2E5D2B9F [0x417CF0], esi [0x402A32] esi ecx, esi ecx [0x415E6C] 0x00003174 [0x40A9AB] 0x00003180 [0x415E60], 0x00417CF0 ecx, [] ecx esi add [0x421634], edi [0x41FBFC], ebx edi, 0x00421D90 [0x41FBF0], 0x00000000 edi, 0x004143E2 edi ebx, [] [0x4211B8], ebx edi, [0x4035E5] ebx, edi [0x41FBF8], ebx edi, 0x0041FBF0 ebx, ebx edi, 0x00421630, 0x00421630 ebx, [] ebx, [0x4062A8] [0x421630], ebx edi, [0x421630] 13 ebx,

Polymorphism Today Serverside polymorphism Pre-mutated Payload only High language polymorphism, not assembler Packers Work like Zmist decryptor. Used in clean code to avoid «software cracking» Used in virus code, 3-4 different packers applied 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information